Strong Incident Response Starts with Careful Preparation

Through working every day with organizations’ incident response (IR) teams, I am confronted with the entire spectrum of operational maturity. However, even in the companies with robust IR functions, the rapidly evolving threat landscape, constantly changing best practices, and surplus of available tools make it easy to overlook important steps during planning. As a result, by the time an incident occurs, it’s too late to improve their foundational procedures.

Broadly put, there are three phases to an IR plan: Preparation, Response, and Post-Incident. In this three-part series, I’ll cover the important steps in each phase that many organizations overlook.

In this piece, I’ll cover the phase where organizations spend most of their time: preparation. If you do preparation right, it can strengthen your ability to manage incidents throughout the other phases, but do it poorly and you’ll be left scrambling. What makes preparing an IR plan especially challenging is that you have to spend a lot of time guessing about what might happen down the road. It is difficult to determine if you’ve missed any important steps until it’s too late. So, with this in mind, here are five steps that you should not overlook during preparation.

1. Conduct a Detailed Risk Assessment. Think of a risk assessment as the preparation for the preparation. There are good frameworks to follow, but if you don’t customize IR plans to your exact priorities, you’ll greatly reduce their effectiveness. The first thing to establish is what assets are considered the “crown jewels” of your organization. In other words, what is the short list of things that must be protected, even if all else fails? In many companies, this will be the intellectual property that the business is built on. In others, it is customer data, which would cause massive reputational damage if breached. Whatever your crown jewels are, you need to identify them, understand how they’re vulnerable, and take steps to limit their exposure. All access within your company should follow the principle of least privilege, but access to these critical assets should be particularly scrutinized.

2. Establish Lines of Communication. Trying to figure out on-the-fly how to communicate during an incident will lead to needless problems. While most companies have crisis communications plans of some kind, you should also be sure to assess the edge cases during your preparation phase so as to not be caught off guard. Remember that, similar to a natural disaster, if an incident is severe, certain methods of communication might be compromised or unusable. Response can slow to a crawl if there isn’t a clearly outlined sequence of events for who reports to who, and which parties require regular updates and notifications on remediation. Be sure that your communications plan does not overlook the potential need to bring in other departments after an incident. A security breach isn’t just a security issue. You must be prepared communicate with IT, PR, HR, Legal, and even the board of directors.

3. Define Roles. As you can see in the previous step, a major incident will require involvement from a lot of people. Even if you have a full-time IR team in place, you should identify who else will be needed, and under what circumstances. Don’t overlook thinking through various scenarios and appointing directly responsible individuals for the unusual choices with which you may be faced. For example, with the growing prevalence of ransomware, many companies are finding that they don’t know who has the authority in their organization to decide to pay the ransom, or purchase Cryptocurrencies. If you don’t have an across-the-board policy to not pay ransom, you need to know who can approve the funds, and who can buy Bitcoin on behalf of the company.

4. Tailor Playbooks to Likely Threats. Based on your risk assessments (step 1), past incident data, and external sources like threat intelligence feeds, you should have a sense of what types of attacks are most likely. Make sure that you have incident response playbooks in place for all of these incident types. Most companies have some playbooks, but it is not enough to just set up one or two broad IR workflows and then forget about them. In today’s dynamic threat landscape, you should have playbooks that are specific to each major incident type, tailored to your particular needs, and regularly updated to reflect new threats and changing priorities.

5. Reinforce Employee Awareness. Not every employee is directly involved in security, but every employee can compromise security through simple mistakes. Companies are getting better at prioritizing cybersecurity awareness, but many still view it as a box to be checked once a year, or only during employee training. Your preparation for incidents should include sharing information with employees on an ongoing basis. They should be made aware of the latest threat intelligence, new phishing campaigns, and potential attack vectors, and educated on what they can do to mitigate these risks.

In the next article in this series, I’ll move on to the response phase itself, to cover five steps you might overlook during detection, analysis, containment, eradication, and recovery.

Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.